openclaw/smart-customer-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'develop' into feature/auth-management-system

Browse Source
This commit is contained in:
Eric Zheng
2026-03-01 11:56:28 +08:00
parent 3af5009ba8 8344e0f6e0
commit 7eca5ac337
4 changed files with 1043 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
backend/internal/models/auth.go Normal file
View File

@@ -0,0 +1,114 @@
package models
import (
"time"
)
// AuthToken 认证令牌模型
type AuthToken struct {
ID uint `gorm:"primaryKey" json:"id"`
TenantID uint `gorm:"not null;index" json:"tenant_id"`
UserID uint `gorm:"not null;index" json:"user_id"`
// 令牌信息
Token string `gorm:"size:512;not null;uniqueIndex" json:"token"`
TokenType string `gorm:"size:20;not null" json:"token_type"` // access, refresh
ExpiresAt time.Time `gorm:"not null" json:"expires_at"`
// 设备信息
DeviceID string `gorm:"size:100" json:"device_id"`
DeviceName string `gorm:"size:100" json:"device_name"`
DeviceType string `gorm:"size:50" json:"device_type"` // web, mobile, desktop
IPAddress string `gorm:"size:45" json:"ip_address"`
UserAgent string `gorm:"type:text" json:"user_agent"`
// 状态
IsRevoked bool `gorm:"default:false" json:"is_revoked"`
RevokedAt *time.Time `json:"revoked_at"`
RevokedReason string `gorm:"size:200" json:"revoked_reason"`
// 时间戳
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
// 关联
Tenant Tenant `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
User User `gorm:"foreignKey:UserID" json:"user,omitempty"`
}
// LoginAttempt 登录尝试记录
type LoginAttempt struct {
ID uint `gorm:"primaryKey" json:"id"`
TenantID uint `gorm:"not null;index" json:"tenant_id"`
UserID *uint `gorm:"index" json:"user_id"`
// 尝试信息
Username string `gorm:"size:100" json:"username"`
Email string `gorm:"size:100" json:"email"`
IPAddress string `gorm:"size:45;not null" json:"ip_address"`
UserAgent string `gorm:"type:text" json:"user_agent"`
// 结果
Success bool `gorm:"not null" json:"success"`
FailureReason string `gorm:"size:200" json:"failure_reason"`
// 时间戳
CreatedAt time.Time `json:"created_at"`
// 关联
Tenant Tenant `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
User *User `gorm:"foreignKey:UserID" json:"user,omitempty"`
}
// PasswordReset 密码重置请求
type PasswordReset struct {
ID uint `gorm:"primaryKey" json:"id"`
TenantID uint `gorm:"not null;index" json:"tenant_id"`
UserID uint `gorm:"not null;index" json:"user_id"`
// 重置信息
Token string `gorm:"size:100;not null;uniqueIndex" json:"token"`
ExpiresAt time.Time `gorm:"not null" json:"expires_at"`
// 状态
IsUsed bool `gorm:"default:false" json:"is_used"`
UsedAt *time.Time `json:"used_at"`
IPAddress string `gorm:"size:45" json:"ip_address"`
// 时间戳
CreatedAt time.Time `json:"created_at"`
// 关联
Tenant Tenant `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
User User `gorm:"foreignKey:UserID" json:"user,omitempty"`
}
// Session 用户会话
type Session struct {
ID uint `gorm:"primaryKey" json:"id"`
TenantID uint `gorm:"not null;index" json:"tenant_id"`
UserID uint `gorm:"not null;index" json:"user_id"`
// 会话信息
SessionID string `gorm:"size:100;not null;uniqueIndex" json:"session_id"`
ExpiresAt time.Time `gorm:"not null" json:"expires_at"`
// 设备信息
DeviceID string `gorm:"size:100" json:"device_id"`
DeviceName string `gorm:"size:100" json:"device_name"`
DeviceType string `gorm:"size:50" json:"device_type"`
IPAddress string `gorm:"size:45" json:"ip_address"`
UserAgent string `gorm:"type:text" json:"user_agent"`
// 活动信息
LastActivity time.Time `json:"last_activity"`
IsActive bool `gorm:"default:true" json:"is_active"`
// 时间戳
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
// 关联
Tenant Tenant `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
User User `gorm:"foreignKey:UserID" json:"user,omitempty"`
}

425
backend/internal/services/auth_service.go Normal file
View File

@@ -0,0 +1,425 @@
package services
import (
"crypto/rand"
"encoding/base64"
"errors"
"fmt"
"strings"
"time"
"smart-customer-service/config"
"smart-customer-service/internal/models"
"smart-customer-service/pkg/database"
"smart-customer-service/pkg/jwt"
"golang.org/x/crypto/bcrypt"
"gorm.io/gorm"
)
type AuthService struct {
cfg *config.Config
db *gorm.DB
jwt *jwt.JWTManager
}
func NewAuthService(cfg *config.Config, db *gorm.DB) *AuthService {
return &AuthService{
cfg: cfg,
db: db,
jwt: jwt.NewJWTManager(cfg.JWT.Secret),
}
}
// LoginRequest 登录请求
type LoginRequest struct {
Email string `json:"email" binding:"required,email"`
Password string `json:"password" binding:"required,min=6"`
DeviceID string `json:"device_id"`
DeviceName string `json:"device_name"`
DeviceType string `json:"device_type"`
IPAddress string `json:"ip_address"`
UserAgent string `json:"user_agent"`
}
// LoginResponse 登录响应
type LoginResponse struct {
User *models.User `json:"user"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
ExpiresAt time.Time `json:"expires_at"`
TokenType string `json:"token_type"`
}
// RegisterRequest 注册请求
type RegisterRequest struct {
TenantID uint `json:"tenant_id"`
Username string `json:"username" binding:"required,min=3,max=50"`
Email string `json:"email" binding:"required,email"`
Password string `json:"password" binding:"required,min=6"`
FullName string `json:"full_name"`
Phone string `json:"phone"`
}
// RegisterResponse 注册响应
type RegisterResponse struct {
User *models.User `json:"user"`
Token string `json:"token"`
}
// Login 用户登录
func (s *AuthService) Login(req *LoginRequest) (*LoginResponse, error) {
// 记录登录尝试
loginAttempt := &models.LoginAttempt{
Email: req.Email,
IPAddress: req.IPAddress,
UserAgent: req.UserAgent,
Success: false,
}
defer s.recordLoginAttempt(loginAttempt)
// 查找用户
var user models.User
if err := s.db.Where("email = ?", req.Email).First(&user).Error; err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
loginAttempt.FailureReason = "用户不存在"
return nil, errors.New("用户名或密码错误")
}
loginAttempt.FailureReason = "数据库错误"
return nil, err
}
// 检查用户状态
if user.Status != "active" {
loginAttempt.FailureReason = "用户状态异常: " + user.Status
return nil, errors.New("用户账户不可用")
}
// 验证密码
if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(req.Password)); err != nil {
loginAttempt.UserID = &user.ID
loginAttempt.FailureReason = "密码错误"
return nil, errors.New("用户名或密码错误")
}
// 更新最后登录时间
now := time.Now()
user.LastLoginAt = &now
user.LastIP = req.IPAddress
if err := s.db.Save(&user).Error; err != nil {
loginAttempt.FailureReason = "更新登录信息失败"
return nil, err
}
// 生成JWT令牌
accessToken, accessExpiresAt, err := s.jwt.GenerateAccessToken(user.ID, user.TenantID, user.Role)
if err != nil {
loginAttempt.FailureReason = "生成令牌失败"
return nil, err
}
refreshToken, refreshExpiresAt, err := s.jwt.GenerateRefreshToken(user.ID, user.TenantID)
if err != nil {
loginAttempt.FailureReason = "生成刷新令牌失败"
return nil, err
}
// 保存令牌到数据库
authToken := &models.AuthToken{
TenantID: user.TenantID,
UserID: user.ID,
Token: refreshToken,
TokenType: "refresh",
ExpiresAt: refreshExpiresAt,
DeviceID: req.DeviceID,
DeviceName: req.DeviceName,
DeviceType: req.DeviceType,
IPAddress: req.IPAddress,
UserAgent: req.UserAgent,
}
if err := s.db.Create(authToken).Error; err != nil {
loginAttempt.FailureReason = "保存令牌失败"
return nil, err
}
// 创建会话
session := &models.Session{
TenantID: user.TenantID,
UserID: user.ID,
SessionID: generateSessionID(),
ExpiresAt: refreshExpiresAt,
DeviceID: req.DeviceID,
DeviceName: req.DeviceName,
DeviceType: req.DeviceType,
IPAddress: req.IPAddress,
UserAgent: req.UserAgent,
LastActivity: now,
}
if err := s.db.Create(session).Error; err != nil {
// 不影响主要登录流程,只记录日志
fmt.Printf("创建会话失败: %v\n", err)
}
// 标记登录尝试为成功
loginAttempt.UserID = &user.ID
loginAttempt.Success = true
loginAttempt.FailureReason = ""
s.recordLoginAttempt(loginAttempt)
return &LoginResponse{
User: &user,
AccessToken: accessToken,
RefreshToken: refreshToken,
ExpiresAt: accessExpiresAt,
TokenType: "Bearer",
}, nil
}
// Register 用户注册
func (s *AuthService) Register(req *RegisterRequest) (*RegisterResponse, error) {
// 检查邮箱是否已存在
var existingUser models.User
if err := s.db.Where("email = ? AND tenant_id = ?", req.Email, req.TenantID).First(&existingUser).Error; err == nil {
return nil, errors.New("邮箱已被注册")
}
// 检查用户名是否已存在
if err := s.db.Where("username = ? AND tenant_id = ?", req.Username, req.TenantID).First(&existingUser).Error; err == nil {
return nil, errors.New("用户名已被使用")
}
// 加密密码
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost)
if err != nil {
return nil, err
}
// 创建用户
user := &models.User{
TenantID: req.TenantID,
Username: req.Username,
Email: req.Email,
Password: string(hashedPassword),
FullName: req.FullName,
Phone: req.Phone,
Role: "user",
Status: "active",
IsVerified: false,
}
if err := s.db.Create(user).Error; err != nil {
return nil, err
}
// 生成验证令牌(简化版,实际应发送验证邮件)
verificationToken := generateRandomToken(32)
return &RegisterResponse{
User: user,
Token: verificationToken,
}, nil
}
// RefreshToken 刷新访问令牌
func (s *AuthService) RefreshToken(refreshToken string) (*LoginResponse, error) {
// 查找刷新令牌
var authToken models.AuthToken
if err := s.db.Where("token = ? AND token_type = 'refresh' AND is_revoked = false", refreshToken).First(&authToken).Error; err != nil {
return nil, errors.New("无效的刷新令牌")
}
// 检查令牌是否过期
if time.Now().After(authToken.ExpiresAt) {
// 标记令牌为已撤销
now := time.Now()
authToken.IsRevoked = true
authToken.RevokedAt = &now
authToken.RevokedReason = "令牌过期"
s.db.Save(&authToken)
return nil, errors.New("刷新令牌已过期")
}
// 查找用户
var user models.User
if err := s.db.First(&user, authToken.UserID).Error; err != nil {
return nil, errors.New("用户不存在")
}
// 检查用户状态
if user.Status != "active" {
return nil, errors.New("用户账户不可用")
}
// 生成新的访问令牌
accessToken, expiresAt, err := s.jwt.GenerateAccessToken(user.ID, user.TenantID, user.Role)
if err != nil {
return nil, err
}
return &LoginResponse{
User: &user,
AccessToken: accessToken,
ExpiresAt: expiresAt,
TokenType: "Bearer",
}, nil
}
// Logout 用户登出
func (s *AuthService) Logout(token string, userID uint) error {
// 撤销刷新令牌
var authToken models.AuthToken
if err := s.db.Where("token = ? AND user_id = ?", token, userID).First(&authToken).Error; err != nil {
return nil // 令牌不存在,无需处理
}
now := time.Now()
authToken.IsRevoked = true
authToken.RevokedAt = &now
authToken.RevokedReason = "用户主动登出"
return s.db.Save(&authToken).Error
}
// ValidateToken 验证访问令牌
func (s *AuthService) ValidateToken(token string) (*jwt.Claims, error) {
return s.jwt.ValidateToken(token)
}
// ChangePassword 修改密码
func (s *AuthService) ChangePassword(userID uint, oldPassword, newPassword string) error {
var user models.User
if err := s.db.First(&user, userID).Error; err != nil {
return errors.New("用户不存在")
}
// 验证旧密码
if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(oldPassword)); err != nil {
return errors.New("旧密码错误")
}
// 加密新密码
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
if err != nil {
return err
}
user.Password = string(hashedPassword)
return s.db.Save(&user).Error
}
// RequestPasswordReset 请求密码重置
func (s *AuthService) RequestPasswordReset(email string, tenantID uint) (string, error) {
var user models.User
if err := s.db.Where("email = ? AND tenant_id = ?", email, tenantID).First(&user).Error; err != nil {
// 出于安全考虑,即使用户不存在也返回成功
return "", nil
}
// 生成重置令牌
token := generateRandomToken(32)
expiresAt := time.Now().Add(24 * time.Hour) // 24小时有效
resetRequest := &models.PasswordReset{
TenantID: tenantID,
UserID: user.ID,
Token: token,
ExpiresAt: expiresAt,
}
if err := s.db.Create(resetRequest).Error; err != nil {
return "", err
}
return token, nil
}
// ResetPassword 重置密码
func (s *AuthService) ResetPassword(token, newPassword string) error {
var resetRequest models.PasswordReset
if err := s.db.Where("token = ? AND is_used = false", token).First(&resetRequest).Error; err != nil {
return errors.New("无效的重置令牌")
}
// 检查令牌是否过期
if time.Now().After(resetRequest.ExpiresAt) {
return errors.New("重置令牌已过期")
}
// 查找用户
var user models.User
if err := s.db.First(&user, resetRequest.UserID).Error; err != nil {
return errors.New("用户不存在")
}
// 加密新密码
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
if err != nil {
return err
}
// 更新密码
user.Password = string(hashedPassword)
if err := s.db.Save(&user).Error; err != nil {
return err
}
// 标记重置令牌为已使用
now := time.Now()
resetRequest.IsUsed = true
resetRequest.UsedAt = &now
return s.db.Save(&resetRequest).Error
}
// 辅助函数
func (s *AuthService) recordLoginAttempt(attempt *models.LoginAttempt) {
if err := s.db.Create(attempt).Error; err != nil {
fmt.Printf("记录登录尝试失败: %v\n", err)
}
}
func generateSessionID() string {
b := make([]byte, 32)
rand.Read(b)
return base64.URLEncoding.EncodeToString(b)
}
func generateRandomToken(length int) string {
b := make([]byte, length)
rand.Read(b)
return base64.URLEncoding.EncodeToString(b)
}
// GetUserByToken 通过令牌获取用户信息
func (s *AuthService) GetUserByToken(token string) (*models.User, error) {
claims, err := s.ValidateToken(token)
if err != nil {
return nil, err
}
var user models.User
if err := s.db.First(&user, claims.UserID).Error; err != nil {
return nil, err
}
return &user, nil
}
// GetUserSessions 获取用户会话列表
func (s *AuthService) GetUserSessions(userID uint) ([]models.Session, error) {
var sessions []models.Session
err := s.db.Where("user_id = ? AND is_active = true", userID).Find(&sessions).Error
return sessions, err
}
// RevokeSession 撤销会话
func (s *AuthService) RevokeSession(sessionID string, userID uint) error {
var session models.Session
if err := s.db.Where("session_id = ? AND user_id = ?", sessionID, userID).First(&session).Error; err != nil {
return errors.New("会话不存在")
}
session.IsActive = false
return s.db.Save(&session).Error
}

249
backend/pkg/jwt/jwt_manager.go Normal file
View File

@@ -0,0 +1,249 @@
package jwt
import (
"errors"
"time"
"github.com/golang-jwt/jwt/v5"
)
// Claims JWT声明
type Claims struct {
UserID uint `json:"user_id"`
TenantID uint `json:"tenant_id"`
Role string `json:"role"`
jwt.RegisteredClaims
}
// JWTManager JWT管理器
type JWTManager struct {
secretKey []byte
}
// NewJWTManager 创建JWT管理器
func NewJWTManager(secretKey string) *JWTManager {
return &JWTManager{
secretKey: []byte(secretKey),
}
}
// GenerateAccessToken 生成访问令牌
func (m *JWTManager) GenerateAccessToken(userID, tenantID uint, role string) (string, time.Time, error) {
expiresAt := time.Now().Add(24 * time.Hour) // 24小时有效
claims := &Claims{
UserID: userID,
TenantID: tenantID,
Role: role,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
IssuedAt: jwt.NewNumericDate(time.Now()),
Issuer: "smart-customer-service",
Subject: "access_token",
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString(m.secretKey)
if err != nil {
return "", time.Time{}, err
}
return tokenString, expiresAt, nil
}
// GenerateRefreshToken 生成刷新令牌
func (m *JWTManager) GenerateRefreshToken(userID, tenantID uint) (string, time.Time, error) {
expiresAt := time.Now().Add(7 * 24 * time.Hour) // 7天有效
claims := &Claims{
UserID: userID,
TenantID: tenantID,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
IssuedAt: jwt.NewNumericDate(time.Now()),
Issuer: "smart-customer-service",
Subject: "refresh_token",
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString(m.secretKey)
if err != nil {
return "", time.Time{}, err
}
return tokenString, expiresAt, nil
}
// ValidateToken 验证令牌
func (m *JWTManager) ValidateToken(tokenString string) (*Claims, error) {
token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
// 验证签名方法
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, errors.New("无效的签名方法")
}
return m.secretKey, nil
})
if err != nil {
return nil, err
}
if claims, ok := token.Claims.(*Claims); ok && token.Valid {
return claims, nil
}
return nil, errors.New("无效的令牌")
}
// ParseToken 解析令牌(不验证过期)
func (m *JWTManager) ParseToken(tokenString string) (*Claims, error) {
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
token, _, err := parser.ParseUnverified(tokenString, &Claims{})
if err != nil {
return nil, err
}
if claims, ok := token.Claims.(*Claims); ok {
return claims, nil
}
return nil, errors.New("无法解析令牌声明")
}
// GetTokenExpiration 获取令牌过期时间
func (m *JWTManager) GetTokenExpiration(tokenString string) (time.Time, error) {
claims, err := m.ParseToken(tokenString)
if err != nil {
return time.Time{}, err
}
return claims.ExpiresAt.Time, nil
}
// IsTokenExpired 检查令牌是否过期
func (m *JWTManager) IsTokenExpired(tokenString string) (bool, error) {
expiresAt, err := m.GetTokenExpiration(tokenString)
if err != nil {
return true, err
}
return time.Now().After(expiresAt), nil
}
// GeneratePasswordResetToken 生成密码重置令牌
func (m *JWTManager) GeneratePasswordResetToken(userID, tenantID uint) (string, time.Time, error) {
expiresAt := time.Now().Add(1 * time.Hour) // 1小时有效
claims := &Claims{
UserID: userID,
TenantID: tenantID,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
IssuedAt: jwt.NewNumericDate(time.Now()),
Issuer: "smart-customer-service",
Subject: "password_reset",
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString(m.secretKey)
if err != nil {
return "", time.Time{}, err
}
return tokenString, expiresAt, nil
}
// GenerateEmailVerificationToken 生成邮箱验证令牌
func (m *JWTManager) GenerateEmailVerificationToken(userID, tenantID uint) (string, time.Time, error) {
expiresAt := time.Now().Add(24 * time.Hour) // 24小时有效
claims := &Claims{
UserID: userID,
TenantID: tenantID,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
IssuedAt: jwt.NewNumericDate(time.Now()),
Issuer: "smart-customer-service",
Subject: "email_verification",
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString(m.secretKey)
if err != nil {
return "", time.Time{}, err
}
return tokenString, expiresAt, nil
}
// GenerateAPIToken 生成API令牌
func (m *JWTManager) GenerateAPIToken(tenantID uint, permissions []string) (string, time.Time, error) {
expiresAt := time.Now().Add(30 * 24 * time.Hour) // 30天有效
claims := &Claims{
TenantID: tenantID,
Role: "api",
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
IssuedAt: jwt.NewNumericDate(time.Now()),
Issuer: "smart-customer-service",
Subject: "api_token",
},
}
// 添加自定义声明
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
// 添加权限声明
token.Claims.(jwt.MapClaims)["permissions"] = permissions
tokenString, err := token.SignedString(m.secretKey)
if err != nil {
return "", time.Time{}, err
}
return tokenString, expiresAt, nil
}
// GetTokenClaims 获取令牌声明(安全版本)
func (m *JWTManager) GetTokenClaims(tokenString string) (map[string]interface{}, error) {
claims, err := m.ValidateToken(tokenString)
if err != nil {
return nil, err
}
return map[string]interface{}{
"user_id": claims.UserID,
"tenant_id": claims.TenantID,
"role": claims.Role,
"exp": claims.ExpiresAt.Time.Unix(),
"iat": claims.IssuedAt.Time.Unix(),
"iss": claims.Issuer,
"sub": claims.Subject,
}, nil
}
// RenewToken 续期令牌
func (m *JWTManager) RenewToken(tokenString string) (string, time.Time, error) {
claims, err := m.ValidateToken(tokenString)
if err != nil {
return "", time.Time{}, err
}
// 根据令牌类型续期
switch claims.Subject {
case "access_token":
return m.GenerateAccessToken(claims.UserID, claims.TenantID, claims.Role)
case "refresh_token":
return m.GenerateRefreshToken(claims.UserID, claims.TenantID)
case "api_token":
// API令牌不自动续期
return "", time.Time{}, errors.New("API令牌不支持自动续期")
default:
return "", time.Time{}, errors.New("未知的令牌类型")
}
}